Blog-like notes

Roadmap for implementing RFC 8314

The RFC 8314, recently published, recommends that mail servers use "implicit TLS" (automatic use of TLS on a dedicated TCP port) rather than "explicit TLS" (use of TLS triggered by STARTTLS or similar on otherwise cleartext standard TCP port) on all user-facing services (mail submission with SMTP and mail retrieval with POP or IMAP).

My own server, mail.incenp.org, was configured to offer only explicit TLS both for submission (on TCP port 587) and for mail retrieval (on standard IMAP TCP port 143). I describe here how to transition to the implicit TLS situation recommended by RFC 8314.

What needs to be changed?

In addition to the obvious changes that need to be made to the configuration of the SMTP and IMAP servers (Postfix and Dovecot, respectively), there are several other things to update:

In which order?

I suggest the following order:

  1. Generate a new certificate for mail.incenp.org (I use the same certificate both for the SMTP and the IMAP server) with the new SRV-IDs, along with the old SRV-IDs for the standard ports.
  2. Publish the new TLSA records.
  3. Configure Postfix to listen on port 465 with implicit TLS, while still offering explicit TLS on standard submission port 587.
  4. Likewise, configure Dovecot to listen on port 993 with implicit TLS, while still offering explicit TLS on standard IMAP port 143.
  5. Open TCP ports 465 and 993 in the firewall.
  6. Check with the clients that everything is working fine.
  7. Publish the new SRV records for the implicit TLS services. Assign them a lower priority than the existing records for explicit TLS services (as recommended by RFC 8314 §4.5.2).

The server is now in a “transitional state”, in which it offers both implicit TLS on ports 465 and 993, and explicit TLS on ports 587 and and 143. To reach the final state recommended by RFC 8314, in which only implicit TLS is offered:

  1. Remove the old SRV records for _imap._tcp.incenp.org and _submission._tcp.incenp.org.
  2. Close TCP ports 143 and 587 in the firewall.
  3. Configure Postfix to stop listening on port 587 and Dovecot to stop listening on port 143.
  4. Remove old TLSA records for ports 587 and 143.
  5. Optionally, generate a new certificate for mail.incenp.org without the old SRV-IDs. This can easily wait until the certificate has to be renewed.